Billions of devices imperiled by new clickless Bluetooth attack

Over the past decade, Bluetooth has become almost the default way for billions of devices to exchange data over short distances, allowing PCs and tablets to transfer audio to speakers and phones to zap pictures to nearby computers. Now, researchers have devised an attack that uses the wireless technology to hack a wide range of devices, including those running Android, Linux, and, until a patch became available in July, Windows.

BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device.

"Just by having Bluetooth on, we can get malicious code on your device," Nadir Izrael, CTO and cofounder of security firm Armis, told Ars. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections."

Patch now, if you haven't already

Microsoft patched the vulnerabilities in July during the company's regularly scheduled Patch Tuesday. Company officials, however, didn't disclose the patch or the underlying vulnerabilities at the time. A Microsoft representative said Windows Phone was never vulnerable. Google, meanwhile, provided device manufacturers with a patch last month. It plans to make the patch available starting today for users of the Pixel XL and other Google-branded phones, but if past security bulletins are any guide, it may take weeks before over-the-air fixes are available to all users. Izrael said he expects Linux maintainers to release a fix soon. Apple's iOS prior to version 10 was also vulnerable.

The attack is most potent against Android and Linux devices, because the Bluetooth implementations in both operating systems are vulnerable to memory corruption exploits that execute virtually any code of the hacker's choosing. The Bluetooth functionality in both OSes also runs with high system privileges, allowing the resulting infection to access sensitive system resources and survive multiple reboots.

Surprisingly, the majority of Linux devices on the market today don't use address space layout randomization or similar protections to lessen the damage of BlueBorne's underlying buffer overflow exploit, Armis Head of Research Ben Seri said. That makes the code-execution attack on that OS "highly reliable." Android, by contrast, does use ASLR, but Armis was able to bypass the protection by exploiting a separate vulnerability in the Android implementation of Bluetooth that leaks memory locations where key processes are running. BlueBorne also massages Android memory in a way that further lessens the protection offered by ASLR. The result: Blueborne can carry out remote code-execution attacks on both OSes that are both stealthy and reliable.

Armis researchers haven't confirmed that code execution is possible against Windows' unpatched Bluetooth implementation, but they were able to carry out other attacks. The most significant one allows hackers to intercept all network traffic sent to and from the targeted Windows computer and to modify that data at will. That means attackers could use BlueBorne to bypass personal and corporate firewalls and exfiltrate sensitive data and possibly modify or otherwise tamper with it while it's in transit. The Android implementation is vulnerable to the same attack.

The following three videos demonstrate the attacks against Android, Linux, and Windows respectively:

BlueBorne—Android Take Over Demo.

Linux Take Over Demo.

BlueBorne - Windows MiTM Demo.

In all, Armis researchers uncovered eight Bluetooth-related vulnerabilities in Android, Linux, Windows, and iOS. The researchers consider three of the flaws to be critical. The researchers reported them to Google, Microsoft, and Apple in April and to Linux Maintainers in August. All parties agreed to keep the findings confidential until today's coordinated disclosure. The vulnerabilities for Android are indexed as CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785; the vulnerabilities for Linux are CVE-2017-1000251 and CVE-2017-1000250; the vulnerability for Windows is CVE-2017-8628; the designation for iOS vulnerability wasn't immediately available.

Up until now, Bluetooth has been notable for the dearth of critical vulnerabilities found in the specification or in its many implementations, with Armis being aware of only one code-execution flaw, in Windows, one that Microsoft fixed in 2011. The Armis researchers, however, said they believe there are likely many more overlooked critical bugs that remain to be found.

Further Reading

The vulnerabilities are coming to light a few months after two independent reports—one in April from Google's Project Zero and the other in July from Exodus Intelligence—exposed similarly critical vulnerabilities in Wi-Fi chips manufactured by Broadcom. They, too, allowed attacks that were transmitted wirelessly from device to device with no user interaction.

Typical of most proof-of-concept exploits, the BlueBorne attacks demonstrated in the videos are relatively simple. With more work, Armis researchers said they could probably develop a self-replicating worm that would spread from a single device to other nearby devices that had Bluetooth turned on, and from there those devices would infect other nearby devices in a chain reaction. Such self-replicating exploits could quickly take over huge numbers of devices at conferences, sporting events, or in work places. It has never been a bad idea to keep Bluetooth turned off by default and to turn it on only when needed—at least on Android phones, the large percentage of which still broadcast privacy-compromising MAC addresses for anyone within radio range to view. The vulnerabilities reported by Armis now reinforce the wisdom of that advice.

Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, told Ars such a worm might be hard to pull off because exploits would have to be customized for the hardware and operating system of each Bluetooth-enabled device. He also downplayed the likelihood of active BlueBorne attacks, noting that there's no indication either of the Broadcom chip vulnerabilities has ever been exploited in the wild.

Izrael confirmed that BlueBorne exploits would have to be customized for each platform but said the amount of work required to do so would be manageable. The Android exploit Armis has developed, for instance, already works on both a Pixel and Nexus phones.

"Any further customization for Android-based devices would be a very simple task," he said. What's more: "An attacker that would want to weaponize these exploits could achieve generic exploits with very little work."